The European Union's highest court struck a big blow Tuesday against Facebook and other companies by ruling that a long-running pact allowing the free transfer of data to the U.S. is invalid as it does not adequately protect consumers.
 
The verdict could have far-reaching implications for companies operating in Europe. Though it does not ban the transfer of data, the ruling means national authorities can review what kinds of information companies want to send to the U.S., complicating business.

Max Schrems, a 28-year-old Austrian law student, brought the case in which he complained that U.S. law doesn't offer sufficient protection against surveillance of data transferred by Facebook to servers in the United States.

He filed the complaint after former U.S. National Security Agency contractor Edward Snowden revealed two year ago the extent of the NSA's surveillance programs. On Tuesday, he expressed his delight at the ruling.

"The message is clear — that mass surveillance is not possible and against fundamental rights in Europe," he said.

Companies, he added, "cannot just aid foreign spies and get away with it because they fall under European jurisdiction."

Schrems complained to the data protection authorities in Ireland, where Facebook has its European headquarters.

Irish authorities initially rejected his complaint, pointing to a 2000 decision by the EU's executive Commission that, under the so-called "safe harbor" agreement, the U.S. ensures adequate data protection.

The agreement has allowed for the free transfer of information by companies from the EU to U.S. It has been seen as a boost to trade since, absent such a deal, swift and smooth data exchange over the Internet would be much more difficult.